Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #87137 > unrolled thread
| Started by | Chris Angelico <rosuav@gmail.com> |
|---|---|
| First post | 2015-03-08 18:42 +1100 |
| Last post | 2015-03-08 18:42 +1100 |
| Articles | 1 — 1 participant |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: Question about importlib Chris Angelico <rosuav@gmail.com> - 2015-03-08 18:42 +1100
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2015-03-08 18:42 +1100 |
| Subject | Re: Question about importlib |
| Message-ID | <mailman.164.1425800529.21433.python-list@python.org> |
On Sun, Mar 8, 2015 at 6:30 PM, Frank Millman <frank@chagford.com> wrote:
> Actually, as I write this, I realise that there is a more important question
> that had not occurred to me before. Is this a potential security risk? My
> intention is that the caller would only call functions within my own
> modules, but this could be used to call any arbitrary function.
Here's an easy solution to both halves of your problem. It guarantees
that arbitrary functions can't be called (or at least, that functions
from arbitrary modules can't be called), and guarantees predictable
performance:
modules = {
"some_module": some_module,
"another_module": another_module,
}
module_name, func_name = func_name.rsplit('.', 1)
module = modules.get(module_name)
if module: getattr(module, func_name)(caller, xml_elem)
else: cope with invalid choice of module
You could programmatically populate the dictionary (eg from a list of
acceptable module names) either with importlib or by pulling them from
sys.modules. But whichever way you do it, you have an easy guarantee
that arbitrary modules won't be imported, guaranteeing both security
and performance in one stroke.
ChrisA
Back to top | Article view | comp.lang.python
csiph-web